Hi, I am using letsencrypt to sign my certificates. Currently letsencrypt is not issuing certificate for SERVFAIL responses, so is there any deadline that letsencrypt will not issue certificate if the domain doesn’t have CAA record?? If CAA is mandatory should i require CAA record to renew my exis…

For you, a subscriber (someone who wants certificates, rather than an Issuer like Let’s Encrypt) it is not mandatory to have CAA records, but it WILL be mandatory to be able to answer DNS queries about those records, in your case your DNS server would just need to say it has no such records. Does t…

Thanks tialaramex. So you are saying letsencrypt did not give any deadline for CAA record, as they only query the record and our dns server should respond as no such records. But many blogs says the CAA record is mandatory after September but there is no use of making this announcement.

[image] suguprathap: But many blogs says the CAA record is mandatory after September but there is no use of making this announcement. Those blogs are totally mistaken if they phrased it that way. On the other hand, it's really important for DNS server software to be updated so that it doesn't…

There’s a very nuanced difference between ‘CAA records are required’ and ‘support for CAA records is required.’ The change in September is the latter, not the former. It’s going to be virtually no change compared to how Let’s Encrypt currently operates, as CAA lookups must by responded to properly …

You may find this page helpful: https://letsencrypt.org/docs/caa

Is CAA record is mandatory after september

Help

schoen August 16, 2017, 4:28pm 3

What’s mandatory in September is CAA checking on the CA side, but as @tialaramex explains, “no CAA records” is a valid reply which will not prevent certificate issuance.

Topic		Replies	Views
Cant renew cert: DNS problem: SERVFAIL looking up CAA Help	20	6377	October 6, 2017
Why letsencrypt query my DNS for CAA record? Help	4	3455	May 15, 2016
How to use without CAA? Help	16	6886	August 20, 2017
Is there any way to pass validation if DNS Server does not respond to CAA? Issuance Tech	9	2963	February 15, 2017
Let's encrypt returns "query timed out looking up CAA for <domain_name>" error when obtaining a new certificate Help	12	12546	January 6, 2018

Is CAA record is mandatory after september

Related topics